It is a common occurrence - a year goes by, and the IT team has been incredibly busy, but there is a lack of recollection regarding the incidents that occurred during that time. While people may remember the more severe issues, they tend to forget about the near misses and smaller incidents that may have caused significant disruption to the organisation.
Without an incident log, the bigger picture is lost, leaving no basis for making informed decisions on where to invest, reinforce protection, or improve training. If we don't know what's broken, how can we fix it?
Let's explore how a comprehensive and well-structured incident log can provide valuable insights to your organisation:
Enhanced incident response
By giving structure to the incident log, it prompts us to ask important questions that lead to a more factual incident response, reducing the likelihood of bias. It is a common mistake, especially for IT teams, to rush to restore service without fully understanding what happened. Premature action not only proves inefficient but can also be detrimental if critical evidence is lost. A good incident log documents the steps taken and justifies them based on documented findings.
Establishing the root cause
Maintaining an incident log helps drive the incident response towards a conclusive understanding of what really happened. Without this record, you may miss the opportunity to determine effective countermeasures, leaving yourself vulnerable to repeat compromises.
Statistics for improvement
A well-formed incident log provides valuable insight into your organisation's exposure. These statistics can reveal not only the threats that materialized during the previous period but also show trends over time. Who are the primary causes of incidents? What assets are being compromised or attacked? Are incidents increasing or decreasing? This information helps you determine if staff need refresher training or if new and improved security measures should be implemented against emerging threats.
Audits
If you undergo a data protection or information security audit, your auditor will likely request to see your incident log. This log serves as proof to the auditor that you take information security seriously and recognise the importance of understanding and responding to threats.
Tracking actions
During incident response, there are numerous immediate actions that need to be taken, such as shutting down machines or closing user accounts. Additionally, there may be actions that should be noted for future action. A comprehensive log collection and analysis solution would be invaluable in this regard.
Risk analysis
The incident log serves as an excellent resource for informing your risk analysis. Threats that have materialized in the past are likely to reappear, so analysing them and ensuring sufficient mitigations are in place is crucial.
Reporting
Reporting on incidents provides an opportunity to consider various aspects of an incident. Has it been effectively handled? Could it have been worse? How could it have been prevented? When might it occur again? Additionally, there are several interested parties for incident reports, in particular:
- Board: Your governors and trustees have a vested interest in this information as it will help convince them to allocate funds for preventing future incidents.
- Regulators: Certain regulatory bodies or laws, such as data protection law, require incident reporting to regulatory bodies and even to data subjects where appropriate. It is also important to keep your Data Protection Officer (DPO) informed of cyber incidents, even if they don't constitute a data breach.
Maintaining a comprehensive record of all breach and cyber incidents can greatly contribute to meeting the DfE Cybersecurity Standards in Education, whilst ensuring you meet the requirements of data protection law.